Skip to content

Instantly share code, notes, and snippets.

@koba04

koba04/safari-samesite-none.md

Last active July 26, 2022 10:37
Show Gist options
  • Save koba04/d52765516600ec51d1761bb0ce994a11 to your computer and use it in GitHub Desktop.
Save koba04/d52765516600ec51d1761bb0ce994a11 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
safari-samesite-none.md

https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

1. Does Safari block 3rd party cookies with SameSite=None?

I've created to test it, but I'm confused by the result. https://animated-caribou.glitch.me/

The result

  • Chrome: only display the cookie value with SameSite=None in iframe.
  • Firefox: display all cookie values in iframe
  • Safari(Catalina): display nothing in iframe
  • Safari(Mojave): display all cookie values in iframe
without SameSite attribute SameSite=None
Safari 13.1(Catalina)
Safari 13.0(Catalina)
Safari 13.1(Mojave) ⭕️ ⭕️
Chrome ⭕️
Firefox ⭕️ ⭕️
  • ⭕️... Can get a 3rd party cookie
  • ❌... Can not get a 3rd party cookie

It depends on the setting of "Prevent cross-site tracking" whether Safari blocks 3rd party cookies of which SameSite attribute is None or not.

The glitches

Safari seems to block 3rd party cookies regardless of the SameSite attribute from Catalina.

If so, is this behavior only on Catalina(Safari 13.0, 13.1)?

I can't reproduce the behavior with Safari 13.1 on Mojave. But the blog post says "Safari 13.1 on macOS", which doesn't say anything about macOS versions.

Does Web Inspector support SameSite=None attribute?

When I run the glitch, Web Inspector doesn't mark the cookie as SameSite=None,

See the attached file in a comment. https://gist.github.com/koba04/d52765516600ec51d1761bb0ce994a11#gistcomment-3238700

You can reproduce this by visiting the site with Safari 13.1 on Catalina. https://probable-oxidized-leather.glitch.me/

@koba04
Copy link
Author

koba04 commented Jul 21, 2020

@ceckoslab I've filed the issue and had an answer from the WebKit team.

The em dash (—) represents the "None" value, both in the case that it is explicitly specified (SameSite=None) and in the case that SameSite is entirely omitted (from what I understand, this will be interpreted as if SameSite=None).

https://bugs.webkit.org/show_bug.cgi?id=210178

@ceckoslab
Copy link

Hello @koba04,

Thanks for responding so quickly. My question was more about the point "1. Does Safari block 3rd party cookies with SameSite=None?". The different behavior between Catalina and Mojave is the thing that worries me and looks like it could break things.

Are you aware of any bug reports about point 1?

@ceckoslab
Copy link

Hello @koba04,

I think that I finally understood it. Seems that we have different behavior in Mojave and Catalina when Prevent cross-site tracking is enabled.

My confusion with this is that I can' find any release notes that say if that is the intended behavior. My theory is that in Catalina the Safari team fixed what was their initial intend with Prevent cross-site tracking in Mojave but probably they were not so strict in Mojave ...

Thanks for doing the research!

@koba04
Copy link
Author

koba04 commented Jul 21, 2020

@ceckoslab As I mentioned https://gist.github.com/koba04/d52765516600ec51d1761bb0ce994a11#gistcomment-3305451, I've found that this depends on the setting of "Prevent cross-site tracking".
But I could not confirm that how Safari on Mojave behaves because I don't have any environments of Mojave.

Do you mean that there is a case that Mojave doesn't block 3rd party cookie?

@ceckoslab
Copy link

ceckoslab commented Jul 21, 2020
edited
Loading

Yes @koba04 , on Mojave I can see on SiteB the following cookies: foo=SiteBCookie; foo2=SiteBNone.

If I am right then probably it's worthy that we open another issue/question for the Safari team.

Reference:

OS version: macOS Mojave 10.14.6
Browser: Safari Version 13.1.1 (14609.2.9.1.3)

Prevent cross-site tracking: Enabled
Screen Shot 2020-07-21 at 2 20 26 PM

Result from your test:
Screen Shot 2020-07-21 at 2 19 58 PM

@koba04
Copy link
Author

koba04 commented Jul 21, 2020

@ceckoslab Thank you for your investigation!

If I am right then probably it's worthy that we open another issue/question for the Safari team.

Yeah, I agree with you.
According to your research, it seems to be a current behavior that Safari 13.1 on Catalina blocks all 3rd party cookies. The blog post didn't mention the OS version though.
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

@ceckoslab
Copy link

Hello @koba04

I filed a bug: https://bugs.webkit.org/show_bug.cgi?id=214608

But it looks like this is a feature ... concluded by reading some other people's bugs: https://bugs.webkit.org/show_bug.cgi?id=210298

@koba04
Copy link
Author

koba04 commented Jul 22, 2020

Thank you!!

@kylekyle
Copy link

kylekyle commented Aug 8, 2020

I was spinning my wheels trying to figure out what was going on with Safari and SameSite. This page saved me! Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment